You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@zeppelin.apache.org by Michał Kabocik <mi...@gmail.com> on 2017/01/30 11:01:42 UTC

Thank you for the reply.

I know that impersonation is done by livy, but when I have user impersonation disabled on livy.spark interpreter, then livy impersonates zeppelin user, not my user. On ranger audit and in yarn history manager I see zeppelin via livy-session. 
What I want to achieve is to have my user (logged in to zeppelin after AD authentication) impersonated. I need this to be able to apply ranger data access policies based on the users/groups from AD.
Is there a way to implement this scenario?

I'll appreciate any suggestions.
Kind regards,
Micha\u0142

Posted by Michał Kabocik <mi...@gmail.com>.

Hello,

Current configuration looks like that:

livy.conf:

livy.impersonation.enabled = true
livy.server.csrf_protection.enabled = true
livy.server.port = 8998
livy.server.session.timeout = 3600000
livy.server.auth.type = kerberos
livy.server.launch.kerberos.principal = livy/hostname@domain.com
livy.server.launch.kerberos.keytab = /etc/security/keytabs/livy.service.keytab
livy.server.auth.kerberos.principal = HTTP/hostname@domain.com
livy.server.auth.kerberos.keytab = /etc/security/keytabs/spnego.service.keytab
livy.server.access_control.enabled true
livy.server.access_control.users  livy,zeppelin
livy.superusers = zeppelin
livy.server.session.factory = yarn

livy interpreter on zeppelin:

livy.impersonation.enabled	true
livy.spark.master	yarn-client
livy.superusers	zeppelin
zeppelin.interpreter.localRepo	/usr/hdp/current/zeppelin-server/local-repo/2C42AQ9SU
zeppelin.livy.keytab	/etc/security/keytabs/zeppelin.service.keytab
zeppelin.livy.principal	zeppelin/hostname@domain.com
zeppelin.livy.url	http://hostname:8998

And when I try to execute:

%livy.spark
sc.textFile("hdfs:///user/my_user/file.txt")
file.take(1)

I get:
Error running rest call; nested exception is org.springframework.web.client.HttpClientErrorException: 401 User not authorised to use Livy.

When I look into zeppelin-interpterer-livy log file I see:

 - http-outgoing-1 >> "}, "proxyUser": "MY_USER@DOMAIN.COM"}"
 - http-outgoing-1 << "HTTP/1.1 401 User not authorised to use Livy.[\r][\n]"

MY_USER@DOMAIN.COM is my user from AD which I'm logged into Zeppelin.
What am I doing wrong?

I'll appreciate your help.
Micha\u0142

Re:

Posted by Jeff Zhang <zj...@gmail.com>.

If you enable impersonation in livy server side, the spark application
should be launched as the user who login zeppelin. Did you enable
impersonation in livy server ?

Michał Kabocik <mi...@gmail.com>于2017年1月30日周一 下午7:01写道：

> Thank you for the reply.
>
> I know that impersonation is done by livy, but when I have user
> impersonation disabled on livy.spark interpreter, then livy impersonates
> zeppelin user, not my user. On ranger audit and in yarn history manager I
> see zeppelin via livy-session.
> What I want to achieve is to have my user (logged in to zeppelin after AD
> authentication) impersonated. I need this to be able to apply ranger data
> access policies based on the users/groups from AD.
> Is there a way to implement this scenario?
>
> I'll appreciate any suggestions.
> Kind regards,
> Michał
>
>